Codeberg/pages-server
Codeberg/pages-server
Fork 51
Code Issues 109 Pull requests 10 Releases 31 Packages 1 Wiki Activity

Fatal error on startup with wildcard certificates#235

New issue
Open
opened 2023-07-20 16:06:59 +02:00 by tionis · 6 comments
tionis commented 2023-07-20 16:06:59 +02:00
Copy link

I'm currently trying to deploy pages in a docker container built using the Dockerfile in the repo and using cloudflare for wildcard cert generation. On startup I'm getting the following error:

pages | 2:00PM ERR toCert conversion did discover mismatch error="domain key '*.tasadar.page' and cert domain 'tasadar.page' not equal" pages | 2:00PM ERR Couldn't get cert for domain ".tasadar.page"

which seems to be related to following database interface code:

Line 63 in d720d25
err := fmt.Errorf("domain key '%s' and cert domain '%s' not equal", name, c.Domain)

I'm currently trying to deploy pages in a docker container built using the Dockerfile in the repo and using cloudflare for wildcard cert generation. On startup I'm getting the following error: ``` pages | 2:00PM ERR toCert conversion did discover mismatch error="domain key '*.tasadar.page' and cert domain 'tasadar.page' not equal" pages | 2:00PM ERR Couldn't get cert for domain ".tasadar.page" ``` which seems to be related to following database interface code: https://codeberg.org/Codeberg/pages-server/src/commit/d720d25e42eb5f1e63462a6665afdd0bebd364ae/server/database/interface.go#L63
thystips commented 2023-07-30 23:55:48 +02:00
Copy link

Same problem for me :

[INFO] [pages.git.antoinethys.net] Server responded with a certificate. ERR toCert conversion did discover mismatch error="domain key '*.pages.git.antoinethys.net' and cert domain 'pages.git.antoinethys.net' not equal" ERR Couldn't get cert for domain ".pages.git.antoinethys.net" http: TLS handshake error from 172.23.0.1:47138: won't request certificate for main domain, something really bad has happened
Same problem for me : ``` [INFO] [pages.git.antoinethys.net] Server responded with a certificate. ERR toCert conversion did discover mismatch error="domain key '*.pages.git.antoinethys.net' and cert domain 'pages.git.antoinethys.net' not equal" ERR Couldn't get cert for domain ".pages.git.antoinethys.net" http: TLS handshake error from 172.23.0.1:47138: won't request certificate for main domain, something really bad has happened ```
thepaperpilot commented 2023-09-17 15:58:17 +02:00
Contributor
Copy link

I also ran into this issue, and found checking out the commit from the most recent release (v4.6.3) resolved it for me. I'm a bit confused since that was released 3 weeks ago and the two comments above me are older than that, but it's possible this issue was fixed but then re-introduced.

I also ran into this issue, and found checking out the commit from the most recent release (v4.6.3) resolved it for me. I'm a bit confused since that was released 3 weeks ago and the two comments above me are older than that, but it's possible this issue was fixed but then re-introduced.
crapStone commented 2023-11-15 21:27:03 +01:00
Owner
Copy link

Is this fixed by using the latest version?

Is this fixed by using the latest version?
drhirn commented 2023-11-20 12:46:26 +01:00
Copy link

Unfortunately not

Unfortunately not
crapStone added this to the v6.0 milestone 2023-11-20 19:31:04 +01:00
histausse commented 2024-02-15 23:28:02 +01:00
Contributor
Copy link

I ran into the same issue with OVH as my domain provider and the v5.1 release of pages-server

I ran into the same issue with OVH as my domain provider and the v5.1 release of pages-server
histausse commented 2024-02-24 21:11:08 +01:00
Contributor
Copy link

After some investigation, I believe the problem comes from

Lines 202 to 204 in 7e80ade
if useDnsProvider && domains[0] != "" && domains[0][0] == '*' {
domains = domains[1:]
}

:

When requesting the main certificate, wildcard domain is explicitly removed from the requested domains, leading to the request of a non-wildcard certificate:

$ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com" | openssl x509 -noout -ext subjectAltName -subject X509v3 Subject Alternative Name: DNS:page.example.com subject=CN = page.example.com

When removing the 3 lines from the code, the certificate requested now match the one used in prod by codeberg.page:

$ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com'" | openssl x509 -noout -ext subjectAltName -subject X509v3 Subject Alternative Name: DNS:*.page.example.com, DNS:page.example.com subject=CN = *.page.example.com $ echo | openssl s_client -connect codeberg.page:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -ext subjectAltName -subject Warning: Reading certificate from stdin since no -in or -new option is given X509v3 Subject Alternative Name: DNS:*.codeberg.page, DNS:codeberg.page subject=CN=*.codeberg.page

Because of

Lines 228 to 233 in 7e80ade
if renew != nil && renew.CertURL != "" {
if c.acmeUseRateLimits {
c.acmeClientRequestLimit.Take()
}
log.Debug().Msgf("Renewing certificate for: %v", domains)
res, err = acmeClient.Certificate.Renew(*renew, true, false, "")

, an instance with an already valid cert will keep renewing the valid cert and not run into this issue, but a new instance is not able to generate a new certificate.

After some investigation, I believe the problem comes from https://codeberg.org/Codeberg/pages-server/src/commit/7e80ade24b8aac072804122b343a2a1a70667983/server/certificates/certificates.go#L202-L204: When requesting the main certificate, wildcard domain is explicitly removed from the requested domains, leading to the request of a non-wildcard certificate: ``` $ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com" | openssl x509 -noout -ext subjectAltName -subject X509v3 Subject Alternative Name: DNS:page.example.com subject=CN = page.example.com ``` When removing the 3 lines from the code, the certificate requested now match the one used in prod by codeberg.page: ``` $ sqlite3 certs.sqlite "SELECT certificate FROM cert WHERE domain = 'page.example.com' OR domain = '*.page.example.com'" | openssl x509 -noout -ext subjectAltName -subject X509v3 Subject Alternative Name: DNS:*.page.example.com, DNS:page.example.com subject=CN = *.page.example.com $ echo | openssl s_client -connect codeberg.page:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -ext subjectAltName -subject Warning: Reading certificate from stdin since no -in or -new option is given X509v3 Subject Alternative Name: DNS:*.codeberg.page, DNS:codeberg.page subject=CN=*.codeberg.page ``` Because of https://codeberg.org/Codeberg/pages-server/src/commit/7e80ade24b8aac072804122b343a2a1a70667983/server/certificates/certificates.go#L228-L233, an instance with an already valid cert will keep renewing the valid cert and not run into this issue, but a new instance is not able to generate a new certificate.
👍 1
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
Labels
Clear labels   
breaking

   
bug

Something is not working

  
build_pr_image

When this label is set, Pull Requests will build and publish images for testing purposes

  
documentation

Something is not correctly documented

  
​d̶u̶p̶l̶i̶c̶a̶t̶e̶

This issue or pull request already exists

  
feature

New feature

  
good first issue

easy to contribute

  
improvement

An improvement to the existing code or an existing feature

  
​i̶n̶v̶a̶l̶i̶d̶

Something is wrong

  
open questions

More information is needed

  
performance

improve performance

  
refactor

Maintain existing code

  
research required

More research is needed to solve the issue

No labels
breaking
bug
build_pr_image
documentation
​d̶u̶p̶l̶i̶c̶a̶t̶e̶
feature
good first issue
improvement
​i̶n̶v̶a̶l̶i̶d̶
open questions
performance
refactor
research required
Milestone
Clear milestone
No items
No milestone
v6.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
6 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/pages-server#235
No description provided.